Over the course of about four weeks, from late July to late August of 2023, unauthorized actors stealthily gained access to McLaren Health Care Corporation’s computer systems. The network, which runs clinics and hospitals throughout Michigan, was impacted. Access to patient records was made. Names, Social Security numbers, medical records, insurance information—the kind of data that requires years to completely secure after it is released. Then, in the summer of 2024, nearly exactly a year later, it occurred once more.
There are two violations. Two summers in a row. About 2.8 million people are impacted. The $14 million class action settlement that McLaren Health Care Corporation, commonly known by its initials, MHCC, agreed to settle, with claims open through April 29, 2026, is based on that sequence.
Judge B. Chris Christenson is presiding over the case, officially named Cindy Womack-Devereaux, et al. v. McLaren Health Care Corporation, at the 7th Judicial Circuit Court in Genesee County, Michigan. Flint, the county seat, has spent years navigating institutional failures affecting the health and safety of its citizens. According to the lawsuit, MHCC neglected to put in place sufficient cybersecurity measures, which gave hackers access to private patient data on both occasions. In a pattern that has become well-known in healthcare data breach litigation, MHCC has denied any wrongdoing but consented to the settlement to settle the claims without a trial.
| Category | Details |
|---|---|
| Case Name | Cindy Womack-Devereaux, et al. v. McLaren Health Care Corporation |
| Case Number | 24-121459 |
| Court | 7th Judicial Circuit Court, Genesee County, Michigan |
| Presiding Judge | Honorable B. Chris Christenson |
| Defendant | McLaren Health Care Corporation (MHCC) |
| Settlement Amount | $14,000,000 |
| Preliminary Approval Date | December 15, 2025 |
| Final Approval Hearing | April 21, 2026 |
| Claim Deadline | April 29, 2026 |
| First Breach Period | July 28, 2023 – August 23, 2023 |
| Second Breach Period | July 17, 2024 – August 3, 2024 |
| Estimated Affected Individuals | Approximately 2,800,000 |
| Maximum Documented Loss Payment | Up to $5,000 per claimant |
| Pro Rata Cash Option | Available without documentation |
| Additional Benefit | 12 months of one-bureau credit monitoring |
| Official Settlement Website | MHCCSettlement.com |
The $14 million settlement includes a credit monitoring benefit in addition to two primary payment tracks. Up to $5,000 is available to class members who can provide proof of actual out-of-pocket losses related to the breaches, such as fraud charges, identity theft remediation costs, credit repair expenses, and up to five hours of lost time at a rate of $25 per hour. Bank statements, receipts, or other contemporaneous proof are needed for that high end. The second track, which is accessible to all members of the settlement class without the need for documentation, is a pro rata cash payment taken from the settlement fund’s remaining balance following the payment of documented-loss claims. The total number of valid claims will determine the final per-person amount under that option; it may be small, but for the majority of class members, it’s the accessible route.
When assessing what a settlement like this actually does for impacted patients, it is important to recognize that healthcare data is fundamentally different from other types of personal information that are compromised. It is possible to cancel your credit card number. You can’t use your Social Security number. Your insurance policy numbers, diagnoses, and medical history are all permanent records that will follow you for the rest of your life. The exposure doesn’t end once that information starts to circulate through the markets where stolen data is bought and sold. According to financial advisor Kevin Thompson, who was cited by Newsweek, the payout is frequently “pennies on the dollar compared to the damage caused.” He’s not incorrect. However, the settlement also mandates that McLaren fortify its data security systems and sustain those enhancements for a minimum of two years—a forward-looking component that is simple to ignore in the emphasis on monetary sums.
It’s difficult to ignore how consistently this pattern occurs in the healthcare industry. A class action is filed, a settlement is negotiated, millions of patients receive notification letters, a hospital network is compromised, and so on. Similar settlements involving health systems, insurance companies, and pharmacy chains have been announced more frequently over the past few years, so the McLaren hack isn’t the only one. The fact that the same organization experienced it twice in a 12-month period sets the MHCC case apart. The court documents detail illegal access during two distinct, almost parallel windows in successive summers, implying that the vulnerabilities that allowed the first breach had not been completely fixed prior to the second one.
The next steps are simple for anyone who received a notification letter from McLaren Health Care in 2023 or 2024. Class members who have their individual Notice ID and confirmation code can file online in a matter of minutes after the settlement website went live. To confirm eligibility, those who think they were impacted but never got a formal notice can get in touch with the settlement administrator. The deadline for filing claims is April 29, 2026, and as with all class actions, failure to do so will result in the loss of both the benefits and the ability to file a separate lawsuit for the same claims.
The Genesee County courthouse at 900 Saginaw Street in Flint was to host the final approval hearing on April 21, 2026. Although preliminary approval was given in December 2025 and no major objections seem to have derailed the process, it remains to be seen whether the settlement is ultimately approved and what the distribution timeline looks like after that. The next few weeks are crucial for the 2.8 million people who are awaiting word from a Michigan court regarding the value of their compromised medical records.
